You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2021/09/17 18:42:42 UTC
[ranger] branch master updated: RANGER-3407:Handle authorization of
Hive Drop database / table if exists in RangerHiveAuthorizer when database
/ table doesn't exist
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 885640e RANGER-3407:Handle authorization of Hive Drop database / table if exists in RangerHiveAuthorizer when database / table doesn't exist
885640e is described below
commit 885640eaab7c2229056de41a3535a10d0418b204
Author: Ramesh Mani <rm...@cloudera.com>
AuthorDate: Fri Sep 17 10:04:43 2021 -0700
RANGER-3407:Handle authorization of Hive Drop database / table if exists in RangerHiveAuthorizer when database / table doesn't exist
---
.../hive/authorizer/RangerHiveAuthorizer.java | 113 ++++++++++++++++++++-
1 file changed, 110 insertions(+), 3 deletions(-)
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index e0934de..42837cd 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -995,9 +995,16 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
}
- if (CollectionUtils.isEmpty(requests) && !IsCommandInExceptionList(hiveOpType)) {
- String commandString = context == null ? "" : context.getCommandString();
- throw new HiveAccessControlException(String.format("Unable to authorize command: [%s] , HivePrivilegeObjects are not available to authorize this command!", commandString));
+ if (CollectionUtils.isEmpty(inputHObjs) && CollectionUtils.isEmpty(outputHObjs) && !IsCommandInExceptionList(hiveOpType)
+ && (hiveOpType.equals(HiveOperationType.DROPDATABASE) || hiveOpType.equals(HiveOperationType.DROPTABLE))) {
+ //Handle Drop If exists statements where both inputHObjs and outputHObjs will be empty and request has to created out of commandString.
+ RangerHiveAccessRequest request = buildRequestForDropIfExistsCommands(hiveOpType, user, groups, roles, hiveOpType.name(), context, sessionContext);
+ if (request != null) {
+ requests.add(request);
+ }
+ } else {
+ String commandString = context == null ? "" : context.getCommandString();
+ throw new HiveAccessControlException(String.format("Unable to authorize command: [%s] , HivePrivilegeObjects are not available to authorize this command!", commandString));
}
buildRequestContextWithAllAccessedResources(requests);
@@ -2548,6 +2555,72 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
return requestedResources;
}
+ private RangerHiveAccessRequest buildRequestForDropIfExistsCommands(HiveOperationType hiveOpType,
+ String user,
+ Set<String> userGroups,
+ Set<String> userRoles,
+ String hiveOpTypeName,
+ HiveAuthzContext context,
+ HiveAuthzSessionContext sessionContext) {
+ RangerHiveAccessRequest request = null;
+
+ switch (hiveOpType) {
+ case DROPDATABASE:
+ request = buildRequestForDropDatabaseIfExistsCommands(user,userGroups,userRoles,hiveOpTypeName,context,sessionContext);
+ break;
+
+ case DROPTABLE:
+ request = buildRequestForDropTableIfExistsCommands(user,userGroups,userRoles,hiveOpTypeName,context,sessionContext);
+ break;
+ }
+
+ return request;
+ }
+
+ private RangerHiveAccessRequest buildRequestForDropDatabaseIfExistsCommands(String user,
+ Set<String> userGroups,
+ Set<String> userRoles,
+ String hiveOpTypeName,
+ HiveAuthzContext context,
+ HiveAuthzSessionContext sessionContext) {
+ RangerHiveResource resource = null;
+ RangerHiveAccessRequest request = null;
+ HiveObj hiveObj = new HiveObj();
+ hiveObj.fetchHiveObjForDropDatabase(context);
+ String dbName = hiveObj.getDatabaseName();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Database: " + dbName);
+ }
+ if (dbName != null) {
+ resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName, null);
+ request = new RangerHiveAccessRequest(resource, user, userGroups, userRoles, hiveOpTypeName, HiveAccessType.DROP, context, sessionContext);
+ }
+ return request;
+ }
+
+
+ private RangerHiveAccessRequest buildRequestForDropTableIfExistsCommands(String user,
+ Set<String> userGroups,
+ Set<String> userRoles,
+ String hiveOpTypeName,
+ HiveAuthzContext context,
+ HiveAuthzSessionContext sessionContext) {
+ RangerHiveResource resource = null;
+ RangerHiveAccessRequest request = null;
+ HiveObj hiveObj = new HiveObj();
+ hiveObj.fetchHiveObjForDropTable(context);
+ String dbName = hiveObj.getDatabaseName();
+ String tableName = hiveObj.getTableName();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Database: " + dbName + " Table: " + tableName);
+ }
+ if (dbName != null && tableName != null) {
+ resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, tableName);
+ request = new RangerHiveAccessRequest(resource, user, userGroups, userRoles, hiveOpTypeName, HiveAccessType.DROP, context, sessionContext);
+ }
+ return request;
+ }
+
private boolean isBlockAccessIfRowfilterColumnMaskSpecified(HiveOperationType hiveOpType, RangerHiveAccessRequest request) {
boolean ret = false;
RangerHiveResource resource = (RangerHiveResource)request.getResource();
@@ -3205,6 +3278,8 @@ class HiveObj {
String databaseName;
String tableName;
+ HiveObj() {}
+
HiveObj(HiveAuthzContext context) {
fetchHiveObj(context);
}
@@ -3237,6 +3312,38 @@ class HiveObj {
}
}
+ public void fetchHiveObjForDropDatabase(HiveAuthzContext context) {
+ // cmd passed: drop database if exists <db>
+ if (context != null) {
+ String cmdString = context.getCommandString();
+ if (cmdString != null) {
+ String[] cmd = cmdString.trim().split("\\s+");
+ if (!ArrayUtils.isEmpty(cmd) && cmd.length > 3) {
+ databaseName = cmd[4];
+ }
+ }
+ }
+ }
+
+ public void fetchHiveObjForDropTable(HiveAuthzContext context) {
+ // cmd passed: drop table if exists <db.table> or drop database if exists <table>
+ if (context != null) {
+ String cmdString = context.getCommandString();
+ if (cmdString != null) {
+ String[] cmd = cmdString.trim().split("\\s+");
+ if (!ArrayUtils.isEmpty(cmd) && cmd.length > 3) {
+ tableName = cmd[4];
+ if (tableName.contains(".")) {
+ String[] result = splitDBName(tableName);
+ databaseName = result[0];
+ tableName = result[1];
+ }
+ }
+ }
+ }
+ }
+
+
private String[] splitDBName(String dbName) {
String[] ret = null;
ret = dbName.split("\\.");